How to use Microsoft 365 Information Barriers

The primary purpose of any organization using Microsoft 365 is to collaborate more effectively. However, there are times where restrictions may be needed to control communication and collaboration. Within certain situations or scenarios, organizations might need to restrict communication and collaboration between two groups. It might be to avoid a conflict of interest occurring in the organization or safeguard internal information. Compliance administrators and Information barriers administrators define policies to either allow or prevent communications between groups of users in Microsoft Teams.

Information barriers support Microsoft Teams, SharePoint Online, and OneDrive for Business. Information barriers comprise of:

Populate user account attributes within Azure Active Directory or Exchange Online (as required).
Segments of users defined in the Microsoft 365 compliance center using a selected user account attribute.
Create information barrier policies for blocking and allowing.

When implementing Information Barriers, there are a few steps; they are:

Step 1: Complete Prerequisites
Step 2: Segment users within the organization
Step 3: Create the information barriers
Step 4: Apply the created information barriers

Step 1: Complete Prerequisites

As with many features within Microsoft 365, users must have the correct licensing. Information barrier policies work only if the users are assigned an Exchange Online license. The following licenses include Information barrier policies:

Microsoft 365 E5/A5/A3/A1
Office 365 E5/A5/A3/A1
Office 365 Advanced Compliance
Microsoft 365 Compliance E5/A5
Microsoft 365 Insider Risk Management

Outside of licensing, you must enable the tenant for scoped directory searching. It is completed from within the “Microsoft Teams admin center” within “Org-wide settings” and is a simple toggle to “On.“

For example, you may have multiple companies within the same Microsoft 365 tenant and need to separate them, or if you are a school, you may want to control chats between students and teachers.

In conjunction with the licenses, scoped setting, the Microsoft 365 audit log needs enabling. You can enable it using PowerShell:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Lastly, you need to perform admin consent for information barrier policies within Microsoft Teams. To accomplish this, PowerShell is the most straightforward approach.

Connect-AzureAD

$appid="bcf62038-e005-436d-b970-2a472f8c1982" 
$appsp=Get-AzureADServicePrincipal -Filter "appid eq '$($appid)'"

if ($appsp -eq $null)
{ 
	New-AzureADServicePrincipal -AppId $appid 
}
Start-Process  "https://login.microsoftonline.com/common/adminconsent?client_id=$appid"

The prerequisites are now complete, and you can now start to segment the organization. Be aware you may have to wait for some of the execute commands to be done and implemented within the tenant; they could take up to 24 hours.

Step 2: Segment users within the organization

o segment the users correctly, each user must have property values updated to reflect the required segmentation. For example, you may want to segment by the department; however, if the “Department” field in the Azure Active Directory is empty, this will not work.

A basic example you can create a segment for “Human Resources” only by using the “Department” property and matching the “Human Resources” value.

Import-Module ExchangeOnlineManagement
Connect-IPPSSession

New-OrganizationSegment
	-Name "Human Resources"
	-UserGroupFilter "Department -eq 'Human Resources'"

Another option could be to create a segment including specific departments only. To test it, you can use the “Get-AzureADUser” with a “Filter” property.

Get-AzureADUser
	-All:$true
	-Filter "Department eq 'Retail' or Department eq 'Marketing'"

Now you know the filter works, you can use it for the segment.

Import-Module ExchangeOnlineManagement
Connect-IPPSSession

New-OrganizationSegment `
	-Name "Segment A (Only Retail and Marketing)" `
	-UserGroupFilter "Department -eq 'Retail' -or Department -eq 'Marketing'"

A more advanced option could be a combination of other properties combined. The best practice, however, is to limit the properties you use for the segments. Once again, you can test the query first before using it in the segment.

Get-AzureADUser 
	-All:$true 
	-Filter "(UserType eq 'Guest') and ((Department eq 'IT') or (Department eq 'Support'))"

The segment PowerShell looks like this:

Import-Module ExchangeOnlineManagement
Connect-IPPSSession

New-OrganizationSegment `
	-Name "Segment A (Only Retail and Marketing)" `
	-UserGroupFilter "(UserType -eq 'Guest') -and ((Department -eq 'IT') or (Department -eq 'Support'))"

Planning the segments is critical to the success of using information barriers. A simple structure based on departments will suffice in most organizations, with more complex segments being for specific situations and requirements. It is essential to determine the communication direction and if the policies will either “block” or “Allow” access and communication.

Import-Module ExchangeOnlineManagement
Connect-IPPSSession

$segments = @(
	"Human Resources"
	"Sales"
	"Marketing"
	"Research"
	"Manufacturing"
) | ForEach-Object {
	New-OrganizationSegment `
		-Name "$_" `
		-UserGroupFilter "Department -eq '$_'"
}

Once created, you can check they exist using the following command:

Get-OrganizationSegment | Select-Object Name, UserGroupFilter

Step 3: Create the information barriers

When creating the policies, you must first decide whether to prevent communications between specific segments or limit communications to specific segments.

The “New-InformationBarrierPolicy” command provides two properties, one for the chosen segment and either the “Segments Blocked” or “Segments Allowed” property.

If you wanted to block communication between “Manufacturing” and “Research,” you create two policies for each side of the block.

New-InformationBarrierPolicy ` 
	-Name "Block Manufacturing to Research" `
	-AssignedSegment "Manufacturing" `
	-SegmentsBlocked "Research" `
	-State Inactive

New-InformationBarrierPolicy `
	-Name "Block Research to Manufacturing" `
	-AssignedSegment "Research" `	
	-SegmentsBlocked "Manufacturing" `
	-State Inactive

You can also create “one-sided” policies to allow one segment but block another segment. If you wanted to block communication from “Sales” to “Human Resources,” but then allow communication between “Human Resources” to “Sales,” you create these two policies.

New-InformationBarrierPolicy `
	-Name "Block Sales to Human Resources" `
	-AssignedSegment "Sales" `
	-SegmentsBlocked "Human Resources" `
	-State Inactive

New-InformationBarrierPolicy `
	-Name "Allow Human Resources to Sales" `
	-AssignedSegment "Human Resources" `
	-SegmentsAllowed "Sales","Human Resources" `
	-State Inactive

NOTE: When setting allowed segments, you must always include the assigned segment.

Step 4: Apply the created information barriers

With the information barrier policies now created, they need applying.

To apply them, you execute the “Start-InformationBarrierPoliciesApplication” command. It will only affect policies with the “State” set to “Active.” It means that you must first change the “State” to “Active” then execute the required command.

NOTE: If you executed the command while the state is set to “Inactive“, you may have to wait for the policies to completely deploy before applying them.

$policies = Get-InformationBarrierPolicy
$policies | ForEach-Object {
	Set-InformationBarrierPolicy -Identity $_.Guid -State Active
}

Start-InformationBarrierPoliciesApplication

One of the last items, if required, is As you can see, there is excellent protection that comes from using Information Barrier policies.